European Regulation 910/2014 on Electronic Signatures.

ue

Last August 28, 2014 was officially published, in the Official Journal of the European Union the expected updated regulation on electronic signature and digital trust: European Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC.

The standard has also been published in the BOE: Regulation 910/2014 on Electronic Signature.

It is a rule that applies directly in all the states of the European Union and repeals its existing regulations on electronic signatures, since they were developed within the framework of Directive 1999/93/EC, which is expressly repealed. It comes into force on September 17, 2014, with some aspects that will be mandatory in a staggered manner, most of them on July 1, 2016, others on September 17, 2014 and others depending on the date of publication of the so-called “implementing acts”, complementary regulations of the European Union or developments of the member states.

This is the final text of the Regulation:

THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 114 thereof,

Having regard to the proposal from the European Commission,

Having regard to the proposal from the European Commission, After transmission of the proposal for a legislative act to the national parliaments,

Having regard to the opinion of the European Economic and Social Committee (1),

Acting in accordance with the ordinary legislative procedure (2),

Acting in accordance with the ordinary legislative procedure (2), Whereas:

(1)

(1) The creation of a climate of trust in the online environment is essential for economic and social development. (1) The creation of a climate of trust in the online environment is essential for economic and social development. Mistrust, in particular due to perceived legal uncertainty, makes consumers, businesses and public administrations hesitant to carry out transactions electronically and to adopt new services. 

(2)

This Regulation aims to enhance trust and confidence in electronic transactions in the internal market by providing a common basis for secure electronic interactions between citizens, businesses and public administrations and thereby increasing the effectiveness of public and private online services, e-business and e-commerce in the Union.

(3)

Directive 1999/93/EC of the European Parliament and of the Council (3) concerns electronic signatures, without providing a comprehensive cross-border and cross-sectoral framework to ensure secure, reliable and user-friendly electronic transactions. This Regulation reinforces and extends the acquis represented by that Directive.

(4)

The Commission Communication of 26 August 2010 entitled “A Digital Agenda for Europe” noted that fragmentation of the digital market, lack of interoperability and increasing cybercrime were major obstacles to the virtuous cycle of the digital economy. In its 2010 citizenship report, entitled “Removing obstacles to EU citizens’ rights”, the Commission also stressed the need to address the main problems that prevent EU citizens from enjoying the benefits of a digital single market and cross-border digital services.

(5)

In its conclusions of 4 February 2011 and 23 October 2011, the European Council invited the Commission to create a digital single market by 2015 in order to make rapid progress in key areas of the digital economy and to promote a fully integrated digital single market by facilitating cross-border use of online services, with a particular focus on secure electronic identification and authentication.

(6)

In its conclusions of 27 May 2011 the Council invited the Commission to contribute to the digital single market by creating appropriate conditions for mutual recognition across borders of key instruments such as electronic identification, electronic documents, electronic signatures and electronic delivery services, as well as for interoperable eGovernment services across the European Union.

(7)

The European Parliament, in its Resolution of 21 September 2010 on completing the internal market for e-commerce (4), underlined the importance of the security of electronic services, especially electronic signatures, and the need to create a pan-European public key infrastructure, and called on the Commission to establish a European validation authority gateway to ensure cross-border interoperability of electronic signatures and to increase the security of transactions carried out over the Internet.

(8)

Directive 2006/123/EC of the European Parliament and of the Council (5) requires Member States to establish “points of single contact” to ensure that all procedures and formalities relating to access to a service activity and to the exercise thereof can be easily carried out, at a distance and by electronic means, through the appropriate single point of contact and with the competent authorities. However, many online services accessible through single points of contact require electronic identification, authentication and signature.

(9)

In most cases, citizens of one Member State cannot use their electronic identification to authenticate themselves in another Member State because the national electronic identification systems in their country are not recognized in other Member States. Such an electronic barrier excludes service providers from fully enjoying the benefits of the internal market. Mutually recognized means of electronic identification will facilitate the cross-border provision of many services in the internal market and enable businesses to operate across borders without encountering obstacles in their interaction with public authorities.

(10)

Directive 2011/24/EU of the European Parliament and of the Council (6) establishes a network of national authorities in charge of e-health. In order to improve the security and continuity of cross-border healthcare, this network is requested to develop guidelines on cross-border access to eHealth data and services, in particular by supporting “common identification and authentication measures to facilitate the transferability of data in cross-border healthcare”. Mutual recognition of electronic identification and authentication is essential to make cross-border healthcare for European citizens a reality. When a person travels for treatment, his or her medical data must be accessible in the country providing the treatment. This requires a robust, secure and reliable electronic identification framework.

(11)

This Regulation should be implemented in such a way as to comply fully with the principles relating to the protection of personal data as laid down in Directive 95/46/EC of the European Parliament and of the Council (7). To that end, having regard to the principle of mutual recognition laid down in this Regulation, authentication for the purposes of an online service should only involve the processing of identification data which are adequate, relevant and not excessive for granting access to the online service concerned. Moreover, trust service providers and the supervisory body should also respect the confidentiality and security of processing requirements provided for in Directive 95/46/EC.

(12)

One of the objectives of this Regulation is to remove existing barriers to the cross-border use of electronic identification means used in the Member States for authentication at least in public services. This Regulation does not intend to intervene in the electronic identity management systems and related infrastructures established in the Member States. Its purpose is to ensure that secure electronic identification and authentication are possible for access to cross-border online services offered by the Member States.

(13)

Member States should remain free to use or introduce, for the purposes of electronic identification, means of accessing online services. They should also be able to decide whether or not to involve the private sector in the provision of these means. Member States should not be obliged to notify their electronic identification systems to the Commission. It is up to Member States to decide whether to notify all, some or none of the electronic identification schemes used at national level for access to at least public online services or specific services.

(14)

Certain conditions should be laid down in this Regulation as to which means of electronic identification have to be recognized and how the systems are to be notified. This would help each Member State to acquire the necessary confidence in each other’s electronic identification schemes and to mutually recognize the electronic identification means of the notified schemes. The principle of mutual recognition should apply if the electronic identification system of the notifying Member State meets the conditions for notification and the notification has been published in the Official Journal of the European Union. However, the principle of mutual recognition should relate only to authentication for the purposes of an online service. Access to such online services and their final provision to the applicant should be closely linked to the right to receive such services under the conditions laid down by national law.

(15)

The obligation to recognise electronic identification means should relate only to means whose level of identity security corresponds to a level equal to or higher than that required for the online service concerned. Moreover, the obligation should apply only where the public sector body concerned uses the “substantial” or “high” level of security for access to that online service. Member States should have the possibility, in accordance with Union law, to recognize electronic identification means with lower levels of certainty of identity.

(16)

Security levels should characterise the degree of confidence of an electronic identification means to establish the identity of a person, thus ensuring that the person claiming to possess a given identity is in fact the person to whom that identity has been attributed. The level of security depends on the degree of confidence that this electronic identification means provides about the identity claimed or declared by a person, taking into account the technical procedures (e.g., proof and verification of identity, authentication), the management activities (such as the entity issuing the electronic identification means, the procedure for issuing such means) and the controls applied. As a result of standardization activities and international activities of the Union’s funding of large-scale pilot projects, there are several definitions and technical descriptions of security levels. In particular, the STORK and ISO 29115 large-scale pilot projects refer, inter alia, to levels 2, 3 and 4 which should be taken into account to the maximum extent possible in establishing the minimum technical requirements, standards and procedures for low, substantial and high security levels within the meaning of this Regulation, while ensuring the consistent application of this Regulation, in particular with regard to the high security level in relation to identity accreditation for the issuance of qualified certificates. The requirements to be established should be technologically neutral. It should be possible to meet the necessary security requirements by means of various technologies.

(17)

Member States should encourage the private sector to make voluntary use of electronic identification means covered by a notified system for identification purposes where this is necessary for online services or electronic transactions. The possibility of using such electronic identification means would allow the private sector to make use of electronic identification and authentication already widely used in many Member States, at least for public services, and to facilitate the access of businesses and citizens to their online services across borders. In order to facilitate the use by the private sector of such means of electronic identification across borders, the possibility of authentication offered by any Member State should be available to private sector user parties established outside the territory of that Member State under the same conditions applied to private sector user parties established within that Member State. Consequently, as regards private sector user parties, the notifying Member State may define conditions of access to the means of authentication. Such access conditions may provide information on whether at a given moment the authentication means related to the notified system are available to the private sector user parties.

(18)

This Regulation establishes the liability of the notifying Member State, of the party issuing the electronic identification means and of the party carrying out the authentication procedure in the event of failure to comply with the relevant obligations provided for in this Regulation. However, this Regulation should be applied in line with national rules on liability. It should therefore not affect such national rules, for example on the definition of damages or on the applicable procedural rules, including the burden of proof.

(19)

The security of electronic identification schemes is essential for confidence in the mutual cross-border recognition of electronic identification means. To this end, Member States should cooperate on the security and interoperability of electronic identification schemes at Union level. Where electronic identification schemes may require the use of specific hardware or software by user parties at national level, cross-border interoperability requires that Member States should not impose such requirements and associated costs on user parties established outside their territory. In such a case, appropriate solutions must be discussed and developed within the scope of the interoperability framework. However, technical requirements arising from the intrinsic specifications of national electronic identification means (e.g. smart cards) are unavoidable and may affect the holders of these electronic means.

(20)

The cooperation of the Member States should contribute to the technical interoperability of notified electronic identification schemes with a view to promoting a high level of trust and security, adapted to the degree of risk. The exchange of information and best practices between Member States with a view to their mutual recognition should facilitate such cooperation.

(21)

This Regulation should also establish a general legal framework for the use of trust services. However, it should not create a general obligation to use them or to install an access point for all existing trust services. In particular, it should not cover the provision of services used exclusively within closed systems between a defined set of participants, which have no effect on third parties. For example, systems set up in companies or public administrations to manage internal procedures making use of trust services should not be subject to the obligations of this Regulation. Only trust services provided to the public which have effects on third parties should comply with the obligations laid down in this Regulation. Nor should this Regulation regulate aspects relating to the conclusion and validity of contracts or other legal obligations where there are formal requirements laid down by national or Union law. On the other hand, it should not affect national format requirements for public registers, in particular commercial and land registers.

(22)

In order to contribute to the general cross-border use of trust services, it should be possible to use them as evidence in legal proceedings in all Member States. It is for national law to define the legal effects of trust services, unless otherwise provided for in this Regulation.

(23)

To the extent that this Regulation creates an obligation to recognise a trust service, such a trust service may not be recognised unless the recipient is unable to read or verify it for technical reasons over which the recipient has no immediate control. However, this obligation should not in turn require a public body to obtain the necessary hardware and software for the technical readability of all existing trust services.

(24)

Member States may maintain or introduce national provisions, consistent with Union law, concerning trust services, provided that such services are not fully harmonized by this Regulation. However, trust products and services which comply with this Regulation should be able to circulate freely within the internal market.

(25)

Member States should remain free to define other types of trust services, in addition to those forming part of the closed list of trust services provided for in this Regulation, for the purpose of their recognition at national level as qualified trust services.

(26)

In view of the rapid evolution of technology, this Regulation should adopt an approach open to innovation.

(27)

This Regulation should be technology neutral. The legal effects which it confers should be capable of being achieved by any technical means, provided that the requirements laid down in this Regulation are met.

(28)

In order to enhance in particular the confidence of small and medium-sized enterprises and consumers in the internal market and to promote the use of trust services and trust products, the concepts of qualified trust services and qualified trust service provider should be introduced with a view to indicating requirements and obligations ensuring a high level of security of any qualified trust service or trust product provided or used.

(29)

In line with the obligations under the United Nations Convention on the Rights of Persons with Disabilities, adopted by Council Decision 2010/48/EC (8), in particular Article 9 of the Convention, persons with disabilities should be able to use the trust services and end-user products used in the provision of these services on an equal basis with other consumers. Therefore, whenever feasible, the trust services provided and the end-user products used in the provision of these services should be made accessible to persons with disabilities. The feasibility assessment should include, among other aspects, technical and economic considerations.

(30)

Member States should designate one or more supervisory bodies to carry out the supervisory activities provided for in this Regulation. Member States should also be able to decide, by mutual agreement with another Member State, to designate a supervisory body within the territory of that other Member State.

(31)

Supervisory bodies should cooperate with data protection authorities, for example by informing them of the results of audits of qualified trust service providers, in the event that personal data protection rules are found to have been infringed. The provision of information should include, in particular, security incidents and personal data breaches.

(32)

All trust service providers should be responsible for implementing good security practices appropriate to the risks associated with their activities in order to promote user confidence in the single market.

(33)

Provisions concerning the use of pseudonyms in certificates should not prevent Member States from requiring the identification of persons in accordance with national or Union law.

(34)

All Member States should follow common essential oversight requirements in order to ensure an equivalent level of security of qualified trust services. In order to facilitate the consistent application of these requirements across the Union, Member States should adopt comparable procedures and exchange information on their supervisory activities and best practices in this field.

(35)

All trust service providers should be subject to the requirements of this Regulation, in particular on security and liability, to ensure due diligence, transparency and accountability in relation to their operations and services. However, taking into account the type of services provided by trust service providers, it is appropriate to distinguish, insofar as these requirements are concerned, between qualified and non-qualified trust service providers.

(36)

The establishment of a supervisory regime for all trust service providers should ensure a level playing field in terms of security and accountability for their operations and services, thus contributing to the protection of users and the functioning of the internal market. Non-qualified trust service providers should be subject to a light, reactive and ex-post type of supervision and justified according to the nature of their services and operations. Therefore, the supervisory body should not have a general obligation to supervise non-qualified service providers. The supervisory body should act only when it is informed (e.g. by the non-qualified trust service provider itself, by notification from a user or a business partner, or through its own investigations) that a non-qualified trust service provider does not comply with the requirements of this Regulation.

(37)

This Regulation should establish the liability of all trust service providers. In particular, it establishes the liability regime under which all trust service providers should be liable for damage caused to any natural or legal person as a result of their failure to comply with their obligations under this Regulation. In order to facilitate the assessment of the financial risk that trust service providers may have to bear, or that they should cover by insurance policies, this Regulation allows trust service providers to establish limitations, in certain circumstances, on the use of the services they provide and to exempt them from liability for damages resulting from the use of services exceeding those limitations. Customers should be duly informed of these limitations in advance. Such limitations must be recognizable to third parties, e.g. by including information to this effect in the general terms and conditions of the service provided or by other recognizable means. In order to give effect to these principles, this Regulation should be applied in accordance with national rules on liability. This Regulation should therefore not affect such national rules, for example those relating to the definition of damage, intent, negligence or the relevant applicable procedural rules.

(38)

Notification of safety breaches and safety risk assessments is essential in order to provide adequate information to the parties involved in the event of a safety breach or loss of integrity.

(39)

In order to enable the Commission and the Member States to assess the effectiveness of the breach notification mechanism introduced by this Regulation, the supervisory bodies should provide summary information to the Commission and the European Union Agency for Network and Information Security (ENISA).

(40)

In order to enable the Commission and the Member States to assess the effectiveness of the enhanced supervisory mechanism introduced by this Regulation, supervisory bodies should be required to report on their activities. This would be instrumental in facilitating the exchange of best practices between supervisory bodies and would ensure verification that the essential supervisory requirements are applied in a consistent and efficient manner in all Member States.

(41)

In order to ensure the sustainability and durability of qualified trust services and to enhance users’ confidence in the continuity of such services, supervisory bodies should verify the existence and proper implementation of provisions for termination plans in the event that qualified trust service providers cease their activities.

(42)

In order to facilitate the supervision of qualified trust service providers, for example where a provider provides its services in the territory of another Member State and is not subject to supervision there, or where a provider’s authorising officers are located in the territory of a Member State other than the one in which it is established, a system of mutual assistance between the supervisory bodies of the Member States should be set up.

(43)

In order to ensure compliance of qualified trust service providers and the services they provide with the requirements of this Regulation, conformity assessment bodies should carry out conformity assessments, and qualified trust service providers should transmit the conformity assessment reports to the supervisory body. Whenever the supervisory body requires a qualified trust service provider to submit an ad hoc conformity assessment report, the supervisory body should observe, in particular, the principle of good administration, including the obligation to give reasons for its decisions, as well as the principle of proportionality. The supervisory body should therefore duly justify any decision requiring an ad hoc conformity assessment.

(44)

The purpose of this Regulation is to provide a coherent framework with a view to ensuring a high level of safety and legal certainty for trust services. In this regard, the Commission, when examining the conformity assessment of products and services, should seek, where appropriate, to establish synergies with relevant European and international systems, such as Regulation (EC) No 765/2008 of the European Parliament and of the Council (9) setting out the requirements for the accreditation of conformity assessment and product market surveillance bodies.

(45)

In order to enable an efficient start-up process, leading to the inclusion of qualified trust service providers and the qualified trust services they provide in trusted lists, preliminary interactions between candidate qualified trust service providers and the competent supervisory body should be encouraged with a view to facilitating due diligence leading to the provision of qualified trust services.

(46)

Trusted lists are essential elements in building confidence among market operators as they indicate the qualification of the service provider at the time of supervision.

(47)

Trust in online services and the convenience of these services are essential if users are to take full advantage of them and consciously trust e-services. To this end, an “EU” trust label should be created to identify qualified trust services provided by qualified trust service providers. This “EU” trust label for qualified trust services would clearly differentiate qualified trust services from other trust services, thus contributing to improved market transparency. The use of an “EU” trust label by qualified trust service providers is voluntary and should not imply any requirements other than those set out in this Regulation.

(48)

While a high level of security is necessary to ensure mutual recognition of electronic signatures, in certain cases, such as for example in the context of Commission Decision 2009/767/EC (10), electronic signatures which have a lower assurance of security should also be accepted.

(49)

This Regulation should establish the principle that the legal effect of an electronic signature should not be denied on the sole ground that it is an electronic signature or that it does not meet all the requirements of a qualified electronic signature. However, it is for national law to determine the legal effects of electronic signatures in the Member States, except for the requirements laid down in this Regulation according to which a qualified electronic signature should have the equivalent legal effect of a handwritten signature.

(50)

As competent authorities in the Member States currently use different advanced electronic signature formats to electronically sign their documents, it is necessary to ensure that Member States can technically support at least one set of advanced electronic signature formats when receiving electronically signed documents. Similarly, where the competent authorities of the Member States use advanced electronic seals, it would be necessary to ensure that they support at least a range of advanced electronic seal formats.

(51)

It should be possible for the signatory to entrust qualified electronic signature creation devices to a third party, provided that appropriate procedures and mechanisms are in place to ensure that the signatory has sole control over the use of his electronic signature creation data and that the use of the device complies with the requirements for qualified electronic signatures.

(52)

Because of its many economic advantages, remote electronic signature creation should be developed in an electronic signature creation environment managed by a trusted service provider on behalf of the signatory. However, in order to ensure that these electronic signatures obtain the same legal recognition as electronic signatures created in a fully user-managed environment, providers offering remote electronic signature services should implement specific management and administrative security procedures and use trusted systems and products, including secure electronic communication channels to ensure that the electronic signature creation environment is trusted and used under the sole control of the signatory. In the case of a qualified electronic signature created by means of a remote electronic signature creation device, the requirements applicable to qualified trust service providers under this Regulation shall apply.

(53)

Suspension of qualified certificates is an established operational practice of trust service providers in a number of Member States, distinct from revocation and entailing the temporary loss of validity of a certificate. Legal certainty requires that the suspension of a certificate must always be clearly indicated. To this end, trust service providers should be responsible for clearly indicating the status of the certificate and, if suspended, the precise period for which it has been suspended. This Regulation should not impose on trust service providers and Member States the use of suspension, but should provide for transparency rules where and when this practice is possible.

(54)

Cross-border interoperability and recognition of qualified certificates is a prerequisite for cross-border recognition of qualified electronic signatures. Therefore, qualified certificates should not be subject to any mandatory requirements that go beyond the requirements laid down in this Regulation. However, the inclusion of specific attributes, for example unique identifiers, in qualified certificates should be allowed at national level, provided that such specific attributes do not compromise the interoperability and cross-border recognition of qualified certificates and qualified electronic signatures.

(55)

IT security certification based on international standards (such as ISO 15408 and related assessment methods and mutual recognition agreements) is an important tool for verifying the security of qualified e-signature creation devices and should be encouraged. However, innovative solutions and services (such as mobile signature, cloud signature, etc.) are based on technical and organizational solutions of qualified e-signature creation devices for which security standards may not yet be available or for which the first IT security certification may be in progress. It should be possible to assess the security level of such qualified electronic signature creation devices by means of alternative processes only where security standards are not yet available or for which the first IT security certification may be in progress. Such processes should be comparable with IT security certification standards to the extent that security levels are equivalent. These processes may be facilitated by peer review.

(56)

This Regulation lays down requirements for qualified electronic signature creation devices in order to ensure the functionality of advanced electronic signatures. This Regulation should not cover the entire system environment in which such devices operate. The subject matter of the certification of qualified signature-creation devices should therefore be limited to the hardware and software used to manage and protect the signature-creation data created, stored or processed in the signature-creation device. As specified in the relevant standards, the scope of the certification obligation should exclude signature creation applications.

(57)

In order to provide legal certainty as to the validity of the signature, it is essential to detail which components of a qualified electronic signature are to be assessed by the validating user party. On the other hand, specifying the requirements for qualified trust service providers that can provide a qualified validation service to user parties unwilling or unable to perform the validation of qualified electronic signatures themselves should encourage the private and public sectors to invest in such services. Both elements should contribute to making the validation of qualified electronic signatures easy and convenient for all parties at the Union level.

(58)

Where a transaction requires a qualified electronic seal of a legal person, a qualified electronic signature of the authorized representative of the legal person should be equally acceptable.

(59)

Electronic seals should serve as proof that an electronic document has been issued by a legal person, providing certainty as to the origin and integrity of the document.

(60)

Trust service providers issuing qualified certificates for electronic seals should put in place the necessary measures to be able to establish the identity of the natural person representing the legal person to whom the qualified certificate for electronic seals is delivered, where such identification is required at national level in the context of judicial or administrative proceedings.

(61)

This Regulation should ensure the long-term preservation of information, i.e. the legal validity of electronic signatures and electronic seals over extended periods of time, by ensuring that they can be validated independently of future developments in technology.

(62)

In order to ensure the security of qualified electronic time-stamp tokens, this Regulation should require the use of advanced electronic seals or advanced electronic signatures, or other equivalent methods. It is to be expected that innovation will lead to new technologies that ensure an equivalent level of security of time-stamp tokens. Whenever a method other than the advanced time stamp or advanced electronic signature is used, it should be up to the qualified trust service provider to demonstrate, in the conformity assessment report, that such method ensures an equivalent level of security and complies with the obligations laid down in this Regulation.

(63)

Electronic documents are important for the further development of cross-border electronic transactions in the internal market. This Regulation should establish the principle that an electronic document should not be denied legal effect solely on the grounds that it is in electronic form in order to ensure that an electronic transaction is not rejected solely on the grounds that the document is in electronic form.

(64)

When considering advanced electronic signature and seal formats, the Commission should rely on existing practices, rules and regulations, and in particular Commission Decision 2011/130/EU (11).

(65)

In addition to authenticating the document issued by the legal person, electronic seals may be used to authenticate any digital assets of the legal person, for example, software or servers.

(66)

It is essential to provide a legal framework to facilitate cross-border recognition between existing national legal systems related to certified electronic delivery services. Such a framework may also open up new market opportunities for trusted service providers in the Union to offer new pan-European electronic registered delivery services.

(67)

Website authentication services provide a means by which a person visiting a website can be assured that there is an authentic and legitimate entity behind the existence of the website. These services help to build trust and confidence in the conduct of online business transactions, as users will rely on a website that has been authenticated. The provision and use of website authentication services is entirely voluntary. However, in order for website authentication to become a means of enhancing trust, providing a better user experience and fostering growth in the internal market, this Regulation should establish minimum security and liability obligations for providers and the services they provide. To this end, the results of leading industry-led initiatives (e.g. the CA/B Forum of Certification Authorities and Browsers) have been taken into account. Moreover, this Regulation should not preclude the use of other means or methods of authentication of a website that are not covered by this Regulation, nor should it prevent authentication providers of third-country websites from providing their services to customers located in the Union. However, website authentication services of a provider from a third country shall only be recognized as qualified services in accordance with this Regulation where an international agreement has been concluded between the Union and the country of establishment of the provider.

(68)

In accordance with the provisions of the Treaty on the Functioning of the European Union (TFEU) on establishment, the concept of “legal persons” allows operators to freely choose the legal form they consider appropriate for the conduct of their activities. Therefore, “legal persons” within the meaning of the TFEU include all entities incorporated under, or governed by, the law of a Member State, irrespective of their legal form.

(69)

The institutions, bodies, offices and agencies of the European Union are encouraged to recognize the electronic identification and trust services covered by this Regulation for the purposes of administrative cooperation, building in particular on existing good practices and the results of ongoing projects in the areas covered by this Regulation.

(70)

In order to supplement certain specific technical aspects of this Regulation in a flexible and rapid manner, the power to adopt acts in accordance with Article 290 TFEU should be delegated to the Commission in respect of the criteria to be met by bodies responsible for the certification of qualified electronic signature creation devices. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level. The Commission, when preparing and drawing up delegated acts, should ensure a simultaneous, timely and appropriate transmission of relevant documents to the European Parliament and to the Council.

(71)

In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission in particular to specify the reference numbers of standards the use of which would give a presumption of compliance with certain requirements laid down in this Regulation. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council (12).

(72)

When adopting delegated or implementing acts, the Commission should take due account of technical standards and specifications developed by European and international standardisation organisations and bodies, in particular the European Committee for Standardisation (CEN), the European Telecommunications Standards Institute (ETSI), the International Organisation for Standardisation (ISO) and the International Telecommunications Union (ITU), with a view to ensuring a high level of security and interoperability of electronic identification and trust services.

(73)

For reasons of legal certainty and clarity, Directive 1999/93/EC should be repealed.

(74)

In order to provide legal certainty for market operators already using qualified certificates issued to natural persons in accordance with Directive 1999/93/EC, it is necessary to provide for a sufficient transition period. Similarly, transitional measures should be provided for secure signature-creation devices, the conformity of which has been determined in accordance with Directive 1999/93/EC, as well as for certification service providers issuing qualified certificates before 1 July 2016. Finally, it is also necessary to provide the Commission with the necessary means to adopt implementing acts and delegated acts before that date.

(75)

The implementation dates provided for in this Regulation should not prevent Member States from complying with their existing obligations under Union law, in particular Directive 2006/123/EC.

(76)

Since the objective of this Regulation cannot be sufficiently achieved by the Member States but can rather, by reason of the scale of the action, be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union. In accordance with the principle of proportionality, as set out in the same Article, this Regulation does not go beyond what is necessary in order to achieve that objective.

(77)

The European Data Protection Supervisor was consulted in accordance with Article 28(2) of Regulation (EC) No 45/2001 of the European Parliament and of the Council (13) and delivered an opinion on 27 September 2012 (14).

HAVE ADOPTED THIS REGULATION:

CHAPTER I

GENERAL PROVISIONS

Article 1

Subject matter

With the objective of ensuring the proper functioning of the internal market while aiming at an adequate level of security of electronic identification means and trust services, this Regulation:

a)

lays down the conditions under which Member States shall recognize the electronic identification means of natural and legal persons belonging to a notified electronic identification scheme of another Member State,

b)

lays down rules for trust services, in particular for electronic transactions; and

c)

establishes a legal framework for electronic signatures, electronic seals, electronic time stamps, electronic documents, certified electronic delivery services and certificate services for website authentication.

Article 2

Scope of application

1. This Regulation applies to electronic identification schemes notified by Member States and to trust service providers established in the Union.

2. This Regulation does not apply to the provision of trust services used exclusively within closed systems resulting from national law or from agreements between a defined set of participants.

3. This Regulation does not affect national or Union law relating to the conclusion and validity of contracts or other legal or procedural obligations relating to form.

Article 3

Definitions

For the purposes of these Regulations, the following definitions shall apply:

1)

“electronic identification” means the process of using a person’s identification data in electronic form that uniquely represents a natural or legal person or a natural person representing a legal person;

2)

“electronic identification means”, a tangible and/or intangible unit containing a person’s identification data that is used for authentication in online services;

3)

“person identification data”, a set of data that makes it possible to establish the identity of a natural or legal person, or of a natural person representing a legal person;

4)

“electronic identification system” means a scheme for electronic identification under which electronic identification means are issued to natural or legal persons or to a natural person representing a legal person;

5)

“authentication” means an electronic process that makes possible the electronic identification of a natural or legal person, or of the origin and integrity of data in electronic form;

6)

“user party” means the natural or legal person who relies on the electronic identification or trust service;

7)

“public sector body” means state, regional or local authorities, bodies governed by public law and associations formed by one or more of these authorities or one or more of these bodies governed by public law, or private entities mandated by at least one of these authorities, bodies or associations to provide public services acting in that capacity;

8)

“body governed by public law” means as defined in Article 2(1)(4) of Directive 2014/24/EU of the European Parliament and of the Council (15);

9)

“signatory” means a natural person who creates an electronic signature;

10)

“electronic signature” means data in electronic form attached to or logically associated with other electronic data that is used by the signatory to sign;

11)

“advanced electronic signature” means an electronic signature that meets the requirements referred to in Article 26;

12)

“qualified electronic signature” means an advanced electronic signature that is created by means of a qualified electronic signature creation device and that is based on a qualified electronic signature certificate;

13)

“electronic signature creation data” means the unique data used by the signatory to create an electronic signature;

14)

“electronic signature certificate” means an electronic statement that links the validation data of a signature to a natural person and confirms at least the name or pseudonym of that person;

15)

“qualified electronic signature certificate” means an electronic signature certificate that has been issued by a qualified trust service provider and meets the requirements set out in Annex I;

16)

“trust service” means an electronic service usually provided for remuneration, consisting of:

a)

the creation, verification and validation of electronic signatures, electronic seals or electronic time stamps, certified electronic delivery services and certificates relating to these services; or

b)

the creation, verification and validation of certificates for the authentication of websites, 

c)

the preservation of electronic signatures, seals or certificates relating to these services;

17)

“qualified trust service” means a trust service that complies with the applicable requirements set out in this Regulation;

18)

“conformity assessment body” means a body as defined in point 13 of Article 2 of Regulation (EC) No 765/2008 whose competence to perform a conformity assessment of a qualified trust service provider and the qualified trust services provided by it is accredited under that Regulation;

19)

“trust service provider” means a natural or legal person who provides one or more trust services, either as a qualified trust service provider or as an unqualified trust service provider;

20)

“qualified trust service provider” means a trust service provider who provides one or more qualified trust services and has been granted qualification by the supervisory body;

21)

“product”, a computer hardware or software, or the relevant components thereof, intended to be used for the provision of trust services; 21) “product”, a computer hardware or software, or the relevant components thereof, intended to be used for the provision of trust services;

22)

“electronic signature creation device” means configured hardware or software used to create an electronic signature;

23)

“qualified electronic signature creation device” means an electronic signature creation device that meets the requirements listed in Annex II;

 
24)
 
“creator of a seal” means a legal person who creates an electronic seal;
 
25)
 
“electronic seal”, data in electronic format attached to other data in electronic format, or logically associated with them, to guarantee the origin and integrity of the latter;
 
26)
 
“advanced electronic seal”, an electronic seal that meets the requirements referred to in Article 36;
 
27)
 
“qualified electronic seal”, an advanced electronic seal that is created by means of a qualified electronic seal creation device and that is based on a qualified electronic seal certificate;
 
28)
 
“electronic seal creation data”, the unique data used by the creator of the electronic seal to create the electronic seal;
 
29)
 
“electronic seal certificate”, an electronic statement that links the validation data of a seal to a legal person and confirms the name of that person;
 
30)
 
“qualified electronic seal certificate” means an electronic seal certificate that has been issued by a qualified trust service provider and meets the requirements set out in Annex III;
 
31)
 
“electronic seal creation device” means configured hardware or software that is used to create an electronic seal; 31) “electronic seal creation device” means configured hardware or software used to create an electronic seal;
 
32)
 
“qualified electronic seal creation device” means an electronic seal creation device that meets mutatis mutandis the requirements listed in Annex II;
 
33)
 
“electronic time stamp” means data in electronic format linking other data in electronic format to a specific instant in time, providing proof that the latter data existed at that instant;
 
34)
 
“qualified electronic time stamp”, an electronic time stamp that meets the requirements set forth in Article 42;
 
35)
 
“electronic document”, any content stored in electronic format, in particular, text or sound, visual or audiovisual record;
 
36)
 
“certified electronic delivery service” means a service that enables data to be transmitted between third parties by electronic means and provides evidence relating to the management of the data transmitted, including proof of the sending and receipt of the data, and that protects the data transmitted against the risks of loss, theft, damage or unauthorized alteration;
 
37)
 
“qualified electronic certified delivery service” means an electronic certified delivery service that meets the requirements set forth in Article 44;
 
38)
 
“website authentication certificate”, a statement that authenticates a website and links the website to the natural or legal person to whom the certificate has been issued;
 
39)
 
“qualified website authentication certificate” means a website authentication certificate issued by a qualified trust service provider and meeting the requirements set out in Annex IV;
 
40)
 
“validation data” means the data used to validate an electronic signature or an electronic seal;
 
41)
 
“validation” means the process of verifying and confirming the validity of an electronic signature or electronic seal.
 
Article 4
 
Internal market principle
 
No restriction shall be imposed on the provision of trust services in the territory of a Member State by a trust service provider established in another Member State for reasons falling within the scope of this Regulation.
 
The free movement within the internal market of trust products and services which comply with this Regulation shall be allowed.
 
Article 5
 
Data processing and data protection
 
1. The processing of personal data shall be in accordance with the provisions of Directive 95/46/EC.
 
Without prejudice to the legal effects of pseudonyms under national law, their use in electronic transactions shall not be prohibited.
 
CHAPTER II
 
ELECTRONIC IDENTIFICATION
 
Article 6
 
Mutual recognition
 
Where electronic identification using an electronic identification means and authentication under national law or administrative practice is necessary to access a service provided online by a public sector body in a Member State, the electronic identification means issued in another Member State shall be recognized in that Member State for the purpose of cross-border authentication in that online service, provided that:
 
a)
 
that electronic identification means has been issued under an electronic identification scheme included in the list published by the Commission in accordance with Article 9;
 
b)
 
the security level of that electronic identification means corresponds to a security level equal to or higher than the security level required by the public sector body to access that online service in the first Member State, provided that the security level of that electronic identification means corresponds to a substantial or high security level;
 
c)
 
the public sector body concerned uses a substantial or high level of security in relation to access to that online service.
 
This recognition shall take place no later than 12 months after the Commission publishes the list referred to in point (a) of the first subparagraph.
 
2. An electronic identification means issued by an electronic identification scheme included in the list published by the Commission in accordance with Article 9 and corresponding to the low security level may be recognized by public sector bodies for the purpose of cross-border authentication of the service provided online by those bodies.
 
Article 7
 
Conditions for notification of electronic identification schemes
 
An electronic identification scheme may be subject to notification pursuant to Article 9(1) if all of the following conditions are fulfilled:
 
a)
 
the electronic identification means under the electronic identification scheme have been issued:
 
i)
 
by the notifying Member State,
 
ii)
 
by order of the notifying Member State, 
 
iii)
 
independently of the notifying Member State and recognized by that Member State;
 
b)
 
(b) the means of electronic identification under the electronic identification scheme can be used to access at least one service provided by a public sector body requiring electronic identification in the notifying Member State;
 
c)
 
both the electronic identification scheme and the electronic identification means issued thereunder meet the requirements of at least one of the security levels provided for in the implementing act referred to in Article 8(3);
 
d)
 
the notifying Member State ensures that the identification data of the person exclusively representing the person concerned are attributed in accordance with the technical specifications, rules and procedures of the relevant security level laid down in the implementing act referred to in Article 8(3) to the natural or legal person referred to in Article 3(1) at the time of issue of the electronic identification means provided for in this scheme;
 
e)
 
that the party issuing the electronic identification means provided for in this scheme ensures that the electronic identification means are attributed to the person referred to in point (d) of this Article in accordance with the technical specifications, standards and procedures of the relevant security level laid down in the implementing act referred to in Article 8(3);
 
f)
 
the notifying Member State ensures the availability of online authentication in such a way that any using party established in the territory of another Member State can confirm the identification data of the person received in electronic form.
 
For user parties other than public sector bodies, the notifying Member State may define the conditions of access to such authentication. Cross-border authentication shall be free of charge when performed in connection with an online service provided by a public sector body.
 
Member States shall not impose disproportionate specific technical requirements on user parties intending to carry out such authentication, where such requirements prevent or significantly impede the interoperability of the notified electronic identification systems;
 
g)
 
at least six months prior to the notification referred to in Article 9(1), the notifying Member State shall submit to the other Member States, for the purposes of the obligation referred to in Article 12(5), a description of that system, in accordance with the procedural arrangements laid down in the implementing acts referred to in Article 12(7);
 
h)
 
the electronic identification scheme complies with the requirements of the implementing act referred to in Article 12(8).
 
Article 8
 
Security levels of electronic identification schemes
 
An electronic identification scheme notified under Article 9(1) shall specify low, substantial and high security levels for the electronic identification means issued thereunder.
 
2. The low, substantial and high security levels shall meet the following criteria, respectively:
 
a)
 
the low security level shall refer to an electronic identification means, in the context of an electronic identification scheme, which establishes a limited degree of confidence in the claimed or declared identity of a person and is described by reference to the technical specifications, standards and procedures thereof, including technical controls, and which is intended to reduce the risk of misuse or alteration of identity;
 
b)
 
the substantial level of security shall refer to an electronic identification means, in the context of an electronic identification system, which establishes a substantial degree of confidence in the claimed or declared identity of a person and is described by reference to the technical specifications, standards and procedures thereof, including technical controls, and the objective of which is to substantially reduce the risk of misuse or alteration of identity;
 
c)
 
high security level shall refer to an electronic identification means, in the context of an electronic identification scheme, which establishes a degree of confidence in the claimed or declared identity of a person that is superior to an electronic identification means with a substantial level of security, and is described by reference to the technical specifications, standards and procedures thereof, including technical controls, which aim to prevent misuse or alteration of identity.
 
3. By 18 September 2015, taking into account relevant international standards, and in terms of paragraph 2, the Commission shall, by means of implementing acts, lay down the minimum technical specifications, standards and procedures by reference to which the low, substantial and high security levels of electronic identification means for the purposes of paragraph 1 shall be specified.
 
Those minimum technical specifications, standards and procedures shall be established with reference to the reliability and quality of the following elements:
 
a)
 
the procedure for proving and verifying the identity of natural or legal persons applying for the issuance of electronic identification means;
 
b)
 
the procedure for issuing the electronic identification means requested;
 
c)
 
the authentication mechanism by which the natural or legal person uses the electronic identification means to confirm his or her identity to a user party;
 
d)
 
the entity issuing the electronic identification means;
 
e)
 
any other body involved in the application for the issuance of electronic identification means; and
 
f)
 
the technical and security specifications of the electronic identification means.
 
Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).
 
Article 9
 
Notification
 
1. The notifying Member State shall transmit to the Commission the following information and, without undue delay, any subsequent amendments thereto:
 
a)
 
a description of the electronic identification scheme, including its security levels and the issuer(s) of the electronic identification means under this scheme;
 
b)
 
the applicable oversight regime and information on the liability regime with respect to:
 
i)
 
the party issuing the electronic identification means, and
 
ii)
 
the party using the authentication procedure;
 
c)
 
the authority or authorities responsible for the electronic identification system;
 
d)
 
information on the entity or entities managing the registration of the person’s unique identification data;
 
e)
 
a description of how the requirements of the implementing acts referred to in Article 12(8) are fulfilled;
 
f)
 
a description of the authentication referred to in Article 7(f);
 
g)
 
provisions for the suspension or revocation of the notified electronic identification system, or authentication or the parties concerned.
 
2. One year after the date of application of the implementing acts referred to in Article 8(3) and Article 12(8), the Commission shall publish in the Official Journal of the European Union the list of electronic identification schemes notified in accordance with paragraph 1 of this Article and the basic information thereon.
 
If the Commission receives a notification after the end of the period referred to in paragraph 2, it shall publish in the Official Journal of the European Union the amendments to the list referred to in paragraph 2 within two months of the date of receipt of that notification.
 
4. Any Member State may submit a request to the Commission to remove an electronic identification scheme notified by that Member State from the list referred to in paragraph 2. The Commission shall publish in the Official Journal of the European Union the corresponding amendments to the list within one month of the date of receipt of the Member State’s request.
 
5. The Commission may, by means of implementing acts, define the circumstances, formats and procedures relating to the notification referred to in paragraph 1. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).
 
Article 10
 
Violation of security
 
1. Where the electronic identification scheme notified in accordance with Article 9(1) or the authentication referred to in Article 7(f) has been breached or partially compromised in a way that affects the reliability of the cross-border authentication of that scheme, the notifying Member State shall without undue delay suspend or revoke such cross-border authentication or the parties concerned and shall inform the other Member States and the Commission thereof.
 
2. Where the breach or compromise referred to in paragraph 1 has been remedied, the notifying Member State shall reinstate the cross-border authentication and inform the other Member States and the Commission thereof without undue delay.
 
If the breach or compromise referred to in paragraph 1 is not remedied within three months of the suspension or revocation, the notifying Member State shall inform the other Member States and the Commission of the withdrawal of the electronic identification scheme.
 
The Commission shall publish the relevant amendments to the list referred to in Article 9(2) in the Official Journal of the European Union without undue delay.
 
Article 11
 
Liability
 
1. The notifying Member State shall be liable for any damage caused intentionally or negligently to any natural or legal person in the event of failure to comply with its obligations under Article 7(d) and (f) in a cross-border transaction.
 
2. The party issuing the electronic identification means shall be liable for damages caused intentionally or negligently to any natural or legal person in the event of a breach of its obligations under Article 7(e) in a cross-border transaction.
 
3. The party performing the authentication procedure shall be liable for damages caused intentionally or negligently to any natural or legal person in the event of a breach of its obligations under Article 7(f) in a cross-border transaction.
 
4. Paragraphs 1, 2 and 3 shall apply in accordance with national rules on liability.
 
5. Paragraphs 1, 2 and 3 shall be without prejudice to the liability of the parties in accordance with national law in relation to a transaction involving the use of electronic identification means included in the electronic identification scheme notified under Article 9(1).
 
Article 12
 
Cooperation and interoperability
 
1. National electronic identification schemes notified in accordance with Article 9(1) shall be interoperable.
 
2. For the purposes of paragraph 1, an interoperability framework shall be established.
 
3. The interoperability framework shall meet the following criteria:
 
a)
 
aim to be technology neutral and not discriminate between specific national technical solutions for electronic identification within the Member State;
 
b)
 
comply with international and European standards, wherever possible;
 
c)
 
facilitate the application of the principle of privacy by design, 
 
d)
 
ensure that personal data is processed in accordance with Directive 95/46/EC.
 
4. The interoperability framework shall consist of the following:
 
a)
 
a reference to the minimum technical requirements concerning the levels of security referred to in Article 8;
 
b)
 
a correlation between the national security levels of electronic identification schemes and the security levels referred to in Article 8;
 
c)
 
a reference to the minimum technical requirements for interoperability;
 
d)
 
a reference to a minimum set of person identification data that uniquely represents a natural or legal person, and that is available in electronic identification systems;
 
e)
 
rules of procedure;
 
f)
 
arrangements for the settlement of disputes,
 
g)
 
common operational safety standards.
 
5. Member States shall cooperate with respect to the following:
 
a)
 
the interoperability of electronic identification schemes notified in accordance with Article 9(1) and electronic identification schemes which Member States intend to notify, and
 
b)
 
the security of electronic identification schemes.
 
6. Cooperation between Member States shall consist of:
 
a)
 
an exchange of information, experience and best practices on electronic identification schemes, in particular on technical requirements related to interoperability and security levels;
 
b)
 
an exchange of information, experience and best practices on working with the security levels of the electronic identification schemes referred to in Article 8;
 
c)
 
(c) a peer review of electronic identification schemes falling within the scope of this Regulation; and
 
d)
 
a review of relevant developments in the electronic identification sector.
 
7. By 18 March 2015, the Commission shall, by means of implementing acts, lay down the procedural arrangements necessary to facilitate the cooperation between the Member States referred to in paragraphs 5 and 6, with a view to promoting a high level of trust and confidence commensurate with the level of risk.
 
8. By 18 September 2015, for the purpose of establishing uniform conditions for the implementation of the requirements of paragraph 1, the Commission shall, without prejudice to the criteria set out in paragraph 3 and taking into account the results of the cooperation between Member States, adopt implementing acts on the interoperability framework as set out in paragraph 4.
 
9. The implementing acts referred to in paragraphs 7 and 8 of this Article shall be adopted in accordance with the examination procedure referred to in Article 48(2).
 
 CHAPTER III
 
TRUST SERVICES
 
SECTION 1
 
General Provisions
 
Article 13
 
Liability and burden of proof
 
Without prejudice to paragraph 2, trust service providers shall be liable for damage caused intentionally or negligently to any natural or legal person by reason of a breach of the obligations laid down in this Regulation.
 
The burden of proof of intent or negligence of an unqualified trust service provider shall be on the natural or legal person alleging the damage referred to in the first subparagraph.
 
The intent or negligence of a qualified trust service provider shall be presumed unless that qualified trust service provider proves that the damage referred to in the first subparagraph was caused without intent or negligence on his part.
 
2. Where a service provider duly informs his customers in advance of the limitations on the use of the services he provides and these limitations are recognizable to a third party, the qualified trust service provider shall not be liable for damages resulting from a use of the services that goes beyond the limitations indicated.
 
3. Paragraphs 1 and 2 shall apply in accordance with national rules on liability.
 
Liability and burden of proof
 
Without prejudice to paragraph 2, trust service providers shall be liable for damage caused intentionally or negligently to any natural or legal person by reason of a breach of the obligations laid down in this Regulation.
 
The burden of proof of intent or negligence of an unqualified trust service provider shall be on the natural or legal person alleging the damage referred to in the first subparagraph.
 
The intent or negligence of a qualified trust service provider shall be presumed unless that qualified trust service provider proves that the damage referred to in the first subparagraph was caused without intent or negligence on his part.
 
2. Where a service provider duly informs his customers in advance of the limitations on the use of the services he provides and these limitations are recognizable to a third party, the qualified trust service provider shall not be liable for damages resulting from a use of the services that goes beyond the limitations indicated.
 
3. Paragraphs 1 and 2 shall apply in accordance with national rules on liability.
 
Article 14
 
International aspects
 
1. Trust services provided by trust service providers established in a third country shall be recognised as legally equivalent to qualified trust services provided by qualified trust service providers established in the Union if the trust services originating from the third country are recognised under an agreement concluded between the Union and the third country concerned or international organisations in accordance with Article 218 TFEU.
 
2. The agreements referred to in paragraph 1 shall ensure, in particular, that:
 
a)
 
the trust service providers from third countries or international organisations with which agreements are concluded and the trust services they provide comply with the requirements applicable to qualified trust service providers established in the Union and the qualified trust services they provide;
 
b)
 
the qualified trust services provided by qualified trust service providers established in the Union are recognized as legally equivalent to trust services provided by service providers in third countries or international organizations with which agreements are concluded.
 
Article 15 Accessibility for persons with disabilities
 
Accessibility for persons with disabilities
 
Wherever feasible, the trust services provided and the end-user products used in the provision of these services shall be accessible to persons with disabilities.
 
Article 16
 
Penalties
 
Member States shall lay down rules on penalties applicable to infringements of this Regulation. The penalties provided for shall be effective, proportionate and dissuasive.
 
SECTION 2
 
Supervision
 
Article 17
Supervisory Body
 
 
1. Member States shall designate a supervisory body established on their territory or, subject to mutual agreement with another Member State, a supervisory body established in another Member State. That body shall be responsible for the supervisory functions in the designating Member State.
 
The supervisory bodies shall have the necessary powers and adequate resources for the exercise of their functions.
 
2. Member States shall notify the Commission of the names and addresses of their respective designated supervisory bodies.
 
3. The tasks of the supervisory body shall be the following:
 
a)
 
to supervise qualified trust service providers established in the territory of the designating Member State in order to ensure, through ex ante and ex post supervisory activities, that those qualified trust service providers, and the qualified trust services provided by them, comply with the requirements set out in this Regulation;
 
b)
 
take measures, if necessary, in relation to non-qualified trust service providers established in the territory of the designating Member State, through subsequent supervision activities, where it receives information that such non-qualified trust service providers, or the trust services provided by them, allegedly do not comply with the requirements set out in this Regulation.
 
4. For the purposes of paragraph 3, and subject to the limitations set out therein, the tasks of the supervisory body shall include, in particular:
 
a)
 
cooperating with and assisting other bodies in accordance with Article 18;
 
b)
 
analyzing the conformity assessment reports referred to in Articles 20(1) and 21(1);
 
c)
 
inform other supervisory bodies and the public of the breach of safety or loss of integrity in accordance with Article 19(2);
 
d)
 
inform the Commission of its main activities in accordance with paragraph 6 of this Article;
 
e)
 
(e) carry out audits or request a conformity assessment body to carry out a conformity assessment of qualified trust service providers in accordance with Article 20(2);
 
f)
 
cooperate with data protection authorities, in particular by informing them, without undue delay, of the results of audits of qualified trust service providers, in case of possible infringement of rules on the protection of personal data;
 
g)
 
granting qualification to trust service providers and the trust services they provide, and withdrawing this qualification, in accordance with Articles 20 and 21;
 
h)
 
notify the body responsible for the trusted list referred to in Article 22(3) of its decision to grant or withdraw qualification, unless that body is also the supervisory body;
 
i)
 
verify the existence and correct application of the provisions relating to termination plans in the event that trust service providers cease their activities, including the manner in which the information is made accessible, in accordance with Article 24(2)(h);
 
j)
 
require trust service providers to correct any non-compliance with the requirements set out in this Regulation.
 
5. Member States may provide for the supervisory body to establish, maintain and update a trust infrastructure in accordance with the conditions laid down in national law.
 
6. By 31 March each year, each supervisory body shall submit to the Commission a report on its main activities in the preceding calendar year together with a summary of the breach notifications received from trust service providers in accordance with Article 19(2).
 
7. The Commission shall make the annual report referred to in paragraph 6 available to the Member States.
 
8. The Commission may, by means of implementing acts, define the formats and procedures relating to the report referred to in paragraph 6. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).
 
Article 18
 
Mutual Assistance
 
1. Supervisory bodies shall cooperate with a view to exchanging best practices.
 
A supervisory body shall, upon a reasoned request from another supervisory body, provide assistance to that body with a view to enabling the activities of the supervisory bodies to be carried out in a consistent manner. Mutual assistance may include, in particular, requests for information and monitoring measures, such as requests for inspections to be carried out in connection with the conformity assessment reports referred to in Articles 20 and 21.
 
2. The supervisory body to which a request for assistance has been addressed may refuse such a request on any of the following grounds:
 
a)
 
the monitoring body is not competent to provide the assistance requested;
 
b)
 
(b) the assistance requested is not proportionate to the supervisory body’s supervisory activities carried out in accordance with Article 17;
 
c)
 
the provision of the assistance requested would be incompatible with this Regulation.
 
3. Where appropriate, Member States may authorise their respective supervisory bodies to conduct joint investigations involving staff from supervisory bodies of other Member States. The arrangements and procedures for such joint activities shall be approved and established by the Member States concerned in accordance with their national laws.
 
Article 19 Safety requirements for providers
 
Security requirements for trust service providers
 
1. Qualified and non-qualified trust service providers shall take appropriate technical and organisational measures to manage the security risks of the trust services they provide. Taking into account the latest technological developments, these measures shall ensure a level of security proportionate to the degree of risk. In particular, measures shall be taken to prevent and minimize the impact of security incidents and to inform stakeholders of the negative effects of any such incidents.
 
2. Qualified and non-qualified trust service providers shall, without undue delay but in any event within 24 hours of becoming aware of them, notify the supervisory body and, where relevant, other relevant bodies such as the national competent body for information security, or the data protection authority, of any breach of security or loss of integrity that has a significant impact on the trust service provided or on the personal data concerned.
 
Where the breach of security or loss of integrity may adversely affect a natural or legal person to whom the trust service has been provided, the trust service provider shall also notify the natural or legal person, without undue delay, of the breach of security or loss of integrity.
 
Where appropriate, in particular if a breach of security or loss of integrity concerns two or more Member States, the notified supervisory body shall inform the supervisory bodies of the other Member States concerned and ENISA thereof.
 
The notified supervisory body shall inform the public or require the trust service provider to do so, if it considers the disclosure of the breach of security or loss of integrity to be in the public interest.
 
3. The supervisory body shall provide ENISA annually with a summary of security breach and loss of integrity notifications received from trust service providers.
 
4. The Commission may, by means of implementing acts, provide for:
 
a)
 
further specification of the measures referred to in paragraph 1; and
 
b)
 
the definition of the formats and procedures, including time limits, applicable for the purposes of paragraph 2.
 
Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).
 
SECTION 3
 
Qualified trust services
 
Article 20
 
Supervision of qualified trust service providers
 
1. Qualified trust service providers shall be audited at least every 24 months, at their own expense, by a conformity assessment body. The purpose of the audit shall be to confirm that both qualified trust service providers and the qualified trust services they provide comply with the requirements set out in this Regulation. Qualified trust service providers shall send the corresponding conformity assessment report to the supervisory body within three working days of receipt.
 
Without prejudice to paragraph 1, the supervisory body may at any time audit or request a conformity assessment body to carry out a conformity assessment of qualified trust service providers, at the expense of those trust service providers, to confirm that they and the qualified trust services they provide comply with the requirements of this Regulation. In case of a possible breach of the rules on the protection of personal data, the supervisory body shall inform the data protection authorities of the results of its audits.
 
3. Where the supervisory body requires a qualified trust service provider to remedy a breach of requirements of this Regulation and that provider fails to act accordingly, where applicable, within the period set by the supervisory body, the supervisory body, taking into account in particular the extent, duration and consequences of such breach, may withdraw the qualification of the provider or the service it provides and inform the body referred to in Article 22(3) for the purpose of updating the trusted list referred to in Article 22(1). The supervisory body shall inform the qualified trust service provider of the withdrawal of its qualification or of the qualification of the service concerned.
 
4. The Commission may, by means of implementing acts, establish reference numbers of the following standards:
 
a)
 
for the accreditation of conformity assessment bodies and for the conformity assessment report referred to in paragraph 1;
 
b)
 
for the auditing arrangements under which conformity assessment bodies shall carry out the conformity assessment of qualified trust service providers referred to in paragraph 1.
 
Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).
 
 Article 21

Initiation of a qualified trust service

Where unqualified trust service providers intend to commence the provision of qualified trust services, they shall submit to the supervisory body a notification of their intention together with a conformity assessment report issued by a conformity assessment body.

2. The supervisory body shall verify whether the trust service provider and the trust services it provides comply with the requirements set out in this Regulation, and in particular with the requirements set out for qualified trust service providers and the qualified trust services they provide.

If the supervisory body concludes that the trust service provider and the trust services provided by it comply with the requirements referred to in the first subparagraph, the supervisory body shall grant qualification to the trust service provider and the trust services provided by it and shall communicate this to the body referred to in Article 22(3) for the purpose of updating the trusted lists referred to in Article 22(1) no later than three months after the notification in accordance with paragraph 1 of this Article.

If the verification has not been completed within three months, the supervisory body shall inform the trust service provider specifying the reasons for the delay and the envisaged deadline for completion of the verification.

3. Qualified trust service providers may start providing the qualified trust service once the qualification has been indicated in the trust lists referred to in Article 22, paragraph 1.

4. The Commission may, by means of implementing acts, define the formats and procedures for the purposes of paragraphs 1 and 2. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).

Article 22

Trusted lists

Each Member State shall establish, maintain and publish trusted lists containing information relating to the qualified trust service providers for which it is responsible, together with information relating to the qualified trust services provided by them.

2. Member States shall establish, maintain and publish, in a secure manner, the electronically signed or electronically sealed trusted lists referred to in paragraph 1 in a form suitable for automatic processing.

3. Member States shall notify to the Commission, without undue delay, information on the body responsible for the establishment, maintenance and publication of the national trusted lists, and details concerning the place where these lists are published, the certificates used to sign or seal the trusted lists and any changes thereto.

4. The Commission shall make the information referred to in paragraph 3 available to the public through a secure channel in an electronically signed or sealed form suitable for automated processing.

5. By 18 September 2015 the Commission shall, by 18 September 2015, by means of implementing acts, specify the information referred to in paragraph 1 and define the technical specifications and formats of trusted lists, applicable for the purposes of paragraphs 1 to 4. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).

Article 23

EU” Trustmark for qualified trust services

Once the qualification referred to in the second subparagraph of Article 21(2) has been included in the trusted list referred to in Article 22(1), qualified trust service providers may use the “EU” trust label to indicate in a simple, recognizable and clear manner the qualified trust services they provide.

2. When using the “EU” trust label for qualified trust services referred to in paragraph 1, trust service providers shall ensure that there is a link to the relevant trusted list on their website.

3. By 1 July 2015 the Commission shall, by means of implementing acts, develop specifications regarding the form and in particular the layout, composition, size and design of the “EU” trust label for qualified trust services. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).

Article 24

Requirements for qualified trust service providers

When issuing a qualified certificate for a trust service, a qualified trust service provider shall verify, by appropriate means and in accordance with national law, the identity and, where applicable, any specific attributes of the natural or legal person to whom a qualified certificate is issued.

The information referred to in the first subparagraph shall be verified by the trust service provider either directly or through a third party in accordance with national law:

a)

in the presence of the natural person or of an authorized representative of the legal person; or

b)

remotely, using electronic identification means, for which the presence of the natural person or of an authorized representative of the legal person has been ensured prior to the issuance of the qualified certificate, and which meet the requirements set out in Article 8 with respect to the “substantial” or “high” security levels; or

c)

by means of a certificate of a qualified electronic signature or a qualified electronic seal issued in accordance with point (a) or (b); or

d)

using other nationally recognized methods of identification that provide security equivalent in terms of reliability to physical presence. The equivalent security shall be confirmed by a conformity assessment body.

SECTION 4

Electronic signature

Article 25

Legal effect of electronic signatures

An electronic signature shall not be denied legal effect and admissibility as evidence in legal proceedings solely because it is an electronic signature or because it does not meet the requirements of a qualified electronic signature.

2. A qualified electronic signature shall have a legal effect equivalent to that of a handwritten signature.

3. A qualified electronic signature based on a qualified certificate issued in one Member State shall be recognized as a qualified electronic signature in all other Member States.

Article 26 Requirements for advanced electronic signatures

Requirements for advanced electronic signatures

An advanced electronic signature shall meet the following requirements:

a)

be uniquely linked to the signatory;

b)

allow the identification of the signatory;

c)

be created using electronic signature creation data that the signatory can use, with a high level of confidence, under the signatory’s exclusive control; and

d)

be linked to the data signed by it in such a way that any subsequent modification thereof is detectable.

Article 27

Electronic signatures in public services

If a Member State requires an advanced electronic signature for the purpose of using an online service offered by or on behalf of a public sector body, that Member State shall recognise advanced electronic signatures, advanced electronic signatures based on a qualified certificate for electronic signatures and qualified electronic signatures at least in the formats or with the methods defined in the implementing acts referred to in paragraph 5.

If a Member State requires an advanced electronic signature based on a qualified certificate in order to use an online service offered by or on behalf of a public sector body, that Member State shall recognise advanced electronic signatures based on a qualified certificate and qualified electronic signatures at least in the formats or with the methods defined in the implementing acts referred to in paragraph 5.

3. Member States shall not require for the cross-border use of an online service offered by a public sector body an electronic signature whose level of security assurance is higher than that of a qualified electronic signature.

4. The Commission may, by means of implementing acts, establish reference numbers of standards for advanced electronic signatures. Compliance with the requirements for advanced electronic signatures referred to in paragraphs 1 and 2 of this Article and in Article 26 shall be presumed where an advanced electronic signature complies with those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).

5. By 18 September 2015, and taking into account existing Union practices, standards and legal acts, the Commission shall, by means of implementing acts, define the reference formats for advanced electronic signatures or reference methods where alternative formats are used. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).

Article 28

Qualified electronic signature certificates

1. Qualified certificates of electronic signature shall meet the requirements set forth in Annex I.

2. Qualified certificates for electronic signatures shall not be subject to any mandatory requirements in excess of the requirements set out in Annex I.

3. Qualified certificates for electronic signatures may include specific additional non-mandatory attributes. Such attributes shall not affect the interoperability and recognition of qualified electronic signatures.

4. If a qualified certificate of electronic signature has been revoked after its initial activation, it shall lose its validity from the moment of its revocation and shall under no circumstances be able to recover its status.

5. Subject to the following conditions, Member States may lay down national rules on the temporary suspension of qualified certificates for electronic signatures:

a)

If a qualified certificate for electronic signatures has been temporarily suspended, that certificate shall lose its validity during the period of suspension.

b)

The period of suspension shall be clearly indicated in the certificate database and the suspension status shall be visible, during the period of suspension, from the service providing the certificate status information.

6. The Commission may, by means of implementing acts, establish reference numbers of standards for qualified certificates for electronic signatures. Compliance with the requirements set out in Annex I shall be presumed where a qualified certificate for electronic signatures complies with those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).

Article 29 Requirements for qualified electronic signature creation devices

Requirements for qualified electronic signature creation devices

1. Qualified electronic signature creation devices shall comply with the requirements set out in Annex II.

2. The Commission may, by means of implementing acts, establish reference numbers of standards for qualified electronic signature creation devices. Compliance with the requirements set out in Annex II shall be presumed where a qualified electronic signature creation device complies with those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).

Article 30

Certification of qualified electronic signature creation devices

1. The conformity of qualified electronic signature creation devices with the requirements set out in Annex II shall be certified by appropriate public or private bodies designated by the Member States.

2. Member States shall notify the Commission of the names and addresses of the public or private bodies referred to in paragraph 1. The Commission shall make the information available to the Member States.

3. The certification referred to in paragraph 1 shall be based on the following elements:

a)

a security evaluation process carried out in accordance with the standards for the security evaluation of information technology products included in the list to be established in accordance with the second subparagraph; or

b)

a process other than the process referred to in point (a), provided that that process makes use of equivalent levels of security and that the public or private bodies referred to in paragraph 1 notify that process to the Commission. This process may be used only in the absence of the rules referred to in point (a) or when the safety assessment process referred to in point (a) is in progress.

The Commission shall, by means of implementing acts, establish the list of standards for the security assessment of information technology products referred to in point (a). Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).

4. The Commission shall be empowered to adopt delegated acts in accordance with Article 47 concerning the establishment of specific criteria to be met by the designated bodies referred to in paragraph 1 of this Article.

Article 31

Publication of a list of qualified qualified devices for the creation of certified electronic signatures

1. Member States shall, without undue delay and no later than one month after the certification has expired, communicate to the Commission information on qualified electronic signature creation devices which have been certified by the bodies referred to in Article 30(1). They shall also, without undue delay and no later than one month after the certification has expired, notify the Commission of information on electronic signature creation devices which are no longer certified.

On the basis of the information received, the Commission shall establish, publish and maintain a list of certified qualified electronic signature creation devices.

3. The Commission may, by means of implementing acts, define the formats and procedures applicable for the purposes of paragraph 1. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).

Article 32

Requirements for the validation of qualified electronic signatures

1. The validation process of a qualified electronic signature shall confirm the validity of a qualified electronic signature provided that:

a)

the certificate supporting the signature was, at the time of signing, a qualified electronic signature certificate that complies with Annex I;

b)

the qualified certificate was issued by a trusted service provider and was valid at the time of signing;

c)

the signature validation data corresponds to the data provided to the user party;

d)

the unique set of data representing the signatory in the certificate is correctly provided to the using party;

e)

if a pseudonym is used, the use of the pseudonym is clearly indicated to the user party at the time of signing;

f)

the electronic signature has been created by means of a qualified electronic signature creation device;

g)

the integrity of the signed data has not been compromised;

h)

the requirements provided for in Article 26 have been complied with at the time of signing.

2. The system used to validate the qualified electronic signature shall provide the user party with the correct result of the validation process and allow him to detect any problems affecting security.

3. The Commission may, by means of implementing acts, establish reference numbers of standards relating to the validation of qualified electronic signatures. Compliance with the requirements laid down in paragraph 1 shall be presumed where the validation of a qualified electronic signature complies with those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).

Artículo 33

Servicio de validación cualificado de firmas electrónicas cualificadas

1. Solo podrá prestar un servicio de validación cualificado de firmas electrónicas cualificadas el prestador cualificado de servicios de confianza que:

a)

realice la validación de conformidad con el artículo 32, apartado 1, y

b)

permita que las partes usuarias reciban el resultado del proceso de validación de una manera automatizada que sea fiable, eficiente e incluya la firma electrónica avanzada o el sello electrónico avanzado del prestador cualificado de servicio de validación.

2. La Comisión podrá, mediante actos de ejecución, establecer números de referencia de normas relativas al servicio de validación cualificado a que se refiere el apartado 1. Se presumirá el cumplimiento de los requisitos establecidos en el apartado 1 cuando la validación de una firma electrónica cualificada se ajuste a dichas normas. Estos actos de ejecución se adoptarán con arreglo al procedimiento de examen contemplado en el artículo 48, apartado 2.

Artículo 34

Servicio cualificado de conservación de firmas electrónicas cualificadas

1. Solo podrá prestar un servicio cualificado de conservación de firmas electrónicas cualificadas el prestador cualificado de servicios de confianza que utilice procedimientos y tecnologías capaces de ampliar la fiabilidad de los datos de la firma electrónica cualificada más allá del período de validez tecnológico.

2. La Comisión podrá, mediante actos de ejecución, establecer números de referencia de normas relativas al servicio cualificado de conservación de firmas electrónicas cualificadas. Se presumirá el cumplimiento de los requisitos establecidos en el apartado 1 cuando los mecanismos del servicio cualificado de conservación de firmas electrónicas cualificadas se ajusten a dichas normas. Estos actos de ejecución se adoptarán con arreglo al procedimiento de examen contemplado en el artículo 48, apartado 2.

SECCIÓN 5

Sellos electrónicos

Article 35


Legal effect of an electronic seal


An electronic seal shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in electronic form or that it does not meet the requirements of a qualified electronic seal.


2. A qualified electronic seal shall enjoy the presumption of integrity of the data and the correctness of the origin of the data to which the qualified electronic seal is linked.


3. A qualified electronic seal based on a qualified certificate issued in one Member State shall be recognized as a qualified electronic seal in all other Member States.


Article 36 Requirements for advanced electronic seals


Requirements for advanced electronic seals


An advanced electronic seal shall meet the following requirements:


a)


be uniquely linked to the originator of the seal;


b)


allow for the identification of the creator of the seal;


c)


have been created using electronic seal creation data that the seal creator can use for the creation of an electronic seal, with a high level of confidence, under his exclusive control; and


d)


be linked to the data to which it refers in such a way that any subsequent modification thereof is detectable.


Article 37


Electronic seals in public services


If a Member State requires an advanced electronic seal for the purpose of using an online service offered by or on behalf of a public sector body, that Member State shall recognise advanced electronic seals, advanced electronic seals based on a qualified certificate for electronic seals and qualified electronic seals at least in the formats or with the methods defined in the implementing acts referred to in paragraph 5.


If a Member State requires an advanced electronic seal based on a qualified certificate in order to use an online service offered by or on behalf of a public sector body, that Member State shall recognise advanced electronic seals based on a qualified certificate and qualified electronic seals at least in the formats or with the methods defined in the implementing acts referred to in paragraph 5.


3. Member States shall not require, for cross-border use in an online service offered by a public sector body, an electronic seal whose security level is higher than that of a qualified electronic seal.


4. The Commission may, by means of implementing acts, establish reference numbers of standards for advanced electronic seals. Compliance with the requirements for advanced electronic seals referred to in paragraphs 1 and 2 of this Article and in Article 36 shall be presumed where an advanced electronic seal complies with those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).


5. By 18 September 2015, and taking into account existing practices, Union standards and legal acts, the Commission shall adopt implementing acts defining the reference formats for advanced electronic seals or reference methods where alternative formats are used. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).

Article 38


Qualified certificates of electronic seal


1. Qualified certificates of electronic seal shall meet the requirements set forth in Annex III.


2. Qualified certificates for electronic seals shall not be subject to any mandatory requirements exceeding the requirements laid down in Annex III.


3. Qualified certificates for electronic seals may include specific additional non-mandatory attributes. Such attributes shall not affect the interoperability and recognition of qualified electronic seals.


4. If a qualified certificate of electronic seal has been revoked after its initial activation, it shall lose its validity from the moment of its revocation and shall under no circumstances be able to recover its status.


5. Subject to the conditions set out below, Member States may lay down national rules on the temporary suspension of qualified certificates for electronic seals:


a)


If a qualified certificate for electronic seal has been temporarily suspended, that certificate shall lose its validity during the period of suspension.


b)


The period of suspension shall be clearly indicated in the certificate database and the suspension status shall be visible, during the period of suspension, from the service providing the certificate status information.


6. The Commission may, by means of implementing acts, establish reference numbers of standards for qualified certificates for electronic seal. Compliance with the requirements set out in Annex III shall be presumed where a qualified certificate for electronic seal complies with those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).


Article 39


Qualified electronic seal creation devices


1. Article 29 shall apply mutatis mutandis to the requirements for qualified electronic seal creation devices.


2. Article 30 shall apply mutatis mutandis to the certification of qualified electronic seal creation devices.


3. Article 31 shall apply mutatis mutandis to the publication of a list of certified qualified electronic seal creation devices.

Article 40


Validation and preservation of qualified electronic seals


Articles 32, 33 and 34 shall apply mutatis mutandis to the validation and preservation of qualified electronic seals.


SECTION 6


Electronic time stamp


Article 41


Legal effect of electronic time stamps


An electronic time stamp shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in electronic form or that it does not meet the requirements of a qualified electronic time stamp.


2. Qualified electronic time stamps shall enjoy a presumption of accuracy of the date and time they indicate and of the integrity of the data to which the date and time are linked.


3. A qualified electronic time stamp issued in one Member State shall be recognized as a qualified electronic time stamp in all Member States.


Article 42


Requirements for qualified electronic time stamps


1. A qualified electronic time stamp shall meet the following requirements:


a)


link the date and time to the data in such a way as to reasonably eliminate the possibility of changing the data without detection;


b)


(b) be based on a source of time information linked to Coordinated Universal Time; and


c)


have been signed by use of an advanced electronic signature or stamped with an advanced electronic seal of the qualified trust service provider or by any equivalent method.


2. The Commission may, by means of implementing acts, establish reference numbers of standards relating to the linkage of date and time to data and to an accurate time source of information. Compliance with the requirements laid down in paragraph 1 shall be presumed where the linkage of the date and time to the data and the source of accurate time information complies with those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).


SECTION 7


Certified electronic delivery service

Article 43


Legal effect of a certified electronic delivery service


Data sent and received by means of a certified electronic delivery service shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that they are in electronic form or do not meet the requirements of a qualified certified electronic delivery service.


2. Data sent and received through a qualified electronic certified delivery service shall enjoy the presumption of the integrity of the data, the sending of such data by the identified sender, the receipt by the identified recipient, and the accuracy of the date and time of sending and receipt of the data as indicated by the qualified electronic certified delivery service.


Article 44


Requirements for qualified electronic registered delivery services


1. Qualified electronic certified delivery services shall comply with the following requirements:


a)


(a) be provided by one or more qualified trust service providers;


b)


(b) ensure with a high level of reliability the identification of the sender;


c)


guarantee the identification of the recipient prior to the delivery of the data;


d)


be protected sending and receiving data by an advanced electronic signature or an advanced electronic seal of a qualified trust service provider in such a way as to prevent the possibility of undetected modification of the data;


e)


clearly indicate to the sender and recipient of the data any changes to the data required for the purpose of sending or receiving the data;


f)


indicate by means of a qualified electronic time stamp the date and time of sending, receiving and any modification of the data.


In case the data are transferred between two or more qualified trust service providers, the requirements set forth in letters a) to f) shall apply to all qualified trust service providers.


2. The Commission may, by means of implementing acts, establish reference numbers of standards relating to the processes of sending and receiving data. Compliance with the requirements laid down in paragraph 1 shall be presumed where the process of sending and receiving data complies with those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).


SECTION 8


Authentication of websites

Article 45


Requirements for qualified certificates for website authentication


1. Qualified certificates for website authentication shall comply with the requirements set out in Annex IV.


2. The Commission may, by means of implementing acts, establish reference numbers of standards for qualified certificates for website authentication. Compliance with the requirements set out in Annex IV shall be presumed where a qualified website authentication certificate complies with those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).


CHAPTER IV


ELECTRONIC DOCUMENTS


Article 46 Legal effects of electronic documents


Legal effects of electronic documents


An electronic document shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in electronic form.


CHAPTER V


DELEGATION OF POWERS AND IMPLEMENTING PROVISIONS


Article 47


Exercise of the delegation


The Commission is empowered to adopt delegated acts subject to the conditions laid down in this Article.


2. The power to adopt the delegated acts referred to in Article 30(4) shall be conferred on the Commission for an indeterminate period of time not later than 17 September 2014.


3. The delegation of power referred to in Article 30(4) may be revoked at any time by the European Parliament or by the Council. A decision of revocation shall put an end to the delegation of the powers specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.


4. As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council.


5. A delegated act adopted pursuant to Article 30(4) shall enter into force only if no objection has been expressed either by the European Parliament or the Council within a period of two months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. The period shall be extended by two months at the initiative of the European Parliament or the Council.

Article 48


Committee procedure


1. The Commission shall be assisted by a committee. The committee shall be in accordance with Regulation (EU) No 182/2011.


2. Where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 shall apply.


CHAPTER VI


FINAL PROVISIONS


Article 49


Review


The Commission shall review the application of this Regulation and report to the European Parliament and the Council by 1 July 2020. The Commission shall in particular assess whether it is appropriate to amend the scope of this Regulation or its specific provisions, including Articles 6, 7(f), 34, 43, 44 and 45, taking into account the experience gained in the application of this Regulation, as well as technological, market and legal developments.


The report referred to in the first subparagraph shall be accompanied, if necessary, by legislative proposals.


The Commission shall also submit a report to the European Parliament and the Council every four years following the report referred to in the first subparagraph on progress towards achieving the objectives of this Regulation.


Article 50


Repeal


Directive 1999/93/EC shall be repealed with effect from 1 July 2016.


2. References to the repealed Directive shall be construed as references to this Regulation.

Article 50


Repeal


Directive 1999/93/EC is hereby repealed with effect from 1 July 2016.


2. References to the repealed Directive shall be construed as references to this Regulation.

Article 51


Transitional Measures


1. Secure signature-creation devices whose compliance has been determined in accordance with Article 3(4) of Directive 1999/93/EC shall be considered as qualified electronic signature creation devices within the meaning of this Regulation.


2. Qualified certificates issued to natural persons in accordance with Directive 1999/93/EC shall be considered qualified certificates for electronic signatures within the meaning of this Regulation until they expire.


3. A certification-service-provider issuing qualified certificates in accordance with Directive 1999/93/EC shall submit a conformity assessment report to the supervisory body as soon as possible but not later than 1 July 2017. Until the certification-service-provider submits such a conformity assessment report and the supervisory body completes its analysis, that certification-service-provider shall be considered, under this Regulation, as a qualified trust service provider.


4. If a certification-service-provider issuing qualified certificates in accordance with Directive 1999/93/EC fails to submit a conformity assessment report to the supervisory body within the deadline referred to in paragraph 3, that certification-service-provider may not be considered, under this Regulation, as a qualified trust service provider as from 2 July 2017.


Article 52


Entry into force


1. This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.


2. This Regulation shall apply from 1 July 2016, with the exception of the following provisions:


a)


Articles 8(3), 9(5), 12(2) to (9), 17(8), 19(4), 20(4), 21(4), 22(5), 23(3), 24(5), 27(4) and (5), 28(6), 29(2), 30, paragraphs 3 and 4, 31, paragraph 3, 32, paragraph 3, 33, paragraph 2, 34, paragraph 2, 37, paragraphs 4 and 5, 38, paragraph 6, 42, paragraph 2, 44, paragraph 2, 45, paragraph 2, and Articles 47 and 48 shall apply as of September 17, 2014;


b)


Articles 7, 8(1) and (2), 9, 10, 11 and 12(1) shall apply from the date of application of the implementing acts provided for in Articles 8(3) and 12(8);


c)


Article 6 shall apply from three years after the date of application of the implementing acts referred to in Articles 8(3) and 12(8).


3. Where the notified electronic identification scheme is included in the list published by the Commission pursuant to Article 9 before the date referred to in paragraph 2(c) of this Article, the recognition of electronic identification means issued under that scheme pursuant to Article 6 shall be carried out at the latest 12 months after the publication of that scheme, but not before the date referred to in paragraph 2(c) of this Article.


4. By way of derogation from paragraph 2(c) of this Article, a Member State may decide that the means of electronic identification under the electronic identification scheme notified in accordance with Article 9(1) by another Member State shall be recognized in the first Member State as from the date of application of the implementing acts provided for in Articles 8(3) and 12(8). The Commission shall make that information publicly available.


This Regulation shall be binding in its entirety and directly applicable in all Member States.


Done at Brussels, 23 July 2014.


For the Parliament


The President


M. SCHULZ


For the Council


The President


S. GOZI

(1) OJ C 351, 15.11.2012, p. 73.


(2) Position of the European Parliament and of the Council of 3 April 2014 (not yet published in the Official Journal) and Council Decision of 23 July 2014.


(3) Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures (OJ L 13, 19.1.2000, p. 12).


(4) OJ C 50, 21.2.2012, p. 1.


(5) Directive 2006/123/EC of the European Parliament and of the Council of 12 December 2006 on services in the internal market (OJ L 376, 27.12.2006, p. 36).


(6) Directive 2011/24/EU of the European Parliament and of the Council of 9 March 2011 on the application of patients’ rights in cross-border healthcare (OJ L 88, 4.4.2011, p. 45).


(7) Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ L 281, 23.11.1995, p. 31).


(8) Council Decision 2010/48/EC of 26 November 2009 concerning the conclusion, by the European Community, of the United Nations Convention on the Rights of Persons with Disabilities (OJ L 23, 27.1.2010, p. 35).


(9) Regulation (EC) No 765/2008 of the European Parliament and of the Council of 9 July 2008 setting out the requirements for accreditation and market surveillance relating to the marketing of products and repealing Regulation (EEC) No 339/93 (OJ L 218, 13.8.2008, p. 30).


(10) Commission Decision 2009/767/EC of 16 October 2009 adopting measures facilitating the use of procedures by electronic means through the points of single contact under Directive 2006/123/EC of the European Parliament and of the Council on services in the internal market (OJ L 274, 20.10.2009, p. 36).


(11) Commission Decision 2011/130/EU of 25 February 2011 laying down minimum requirements for cross-border processing of electronically signed documents by competent authorities under Directive 2006/123/EC of the European Parliament and of the Council on services in the internal market (OJ L 53, 26.2.2011, p. 66).


(12) Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by Member States of the Commission’s exercise of implementing powers (OJ L 55, 28.2.2011, p. 13).


(13) Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (OJ L 8, 12.1.2001, p. 1).


(14) OJ C 28, 30.1.2013, p. 6.


(15) Directive 2014/24/EU of the European Parliament and of the Council of 26 February 2014 on public procurement and repealing Directive 2004/18/EC (OJ L 94, 28.3.2014, p. 65).


ANNEX I


REQUIREMENTS FOR QUALIFIED CERTIFICATES OF ELECTRONIC SIGNATURE


The qualified certificates of electronic signature shall contain:


a)


an indication, at least in a format suitable for automatic processing, that the certificate has been issued as a qualified certificate for electronic signatures;


b)


a set of data unambiguously representing the qualified trust service provider issuing the qualified certificates, including at least the Member State in which that provider is established; and



for legal persons: the name and, where applicable, the registration number as recorded in the official registers,



for natural persons, the name of the person;


c)


at least the name of the signatory or a pseudonym; if a pseudonym is used, it shall be clearly indicated;


d)


validation data of the electronic signature corresponding to the creation data of the electronic signature;


e)


data relating to the beginning and end of the period of validity of the certificate;


f)


the identity code of the certificate, which must be unique for the qualified trust service provider;


g)


the advanced electronic signature or the advanced electronic seal of the issuing trust service provider;


h)


the place where the certificate supporting the advanced electronic signature or advanced electronic seal referred to in point (g) is freely available;


i)


the location of the services that can be used to consult the validity status of the qualified certificate;


j)


where the electronic signature creation data related to the electronic signature validation data are contained in a qualified electronic signature creation device, an appropriate indication of this, at least in a form suitable for automatic processing.


ANNEX II


REQUIREMENTS FOR QUALIFIED ELECTRONIC SIGNATURE CREATION DEVICES


1.


Qualified electronic signature creation devices shall ensure at least by appropriate technical and procedural means that:


a)


(a) the confidentiality of the electronic signature creation data used for the creation of electronic signatures is reasonably assured;


b)


the electronic signature creation data used for the creation of electronic signatures can only appear once in practice;


c)


there is reasonable assurance that the electronic signature creation data used for the creation of electronic signatures cannot be found by deduction and that the signature is securely protected against forgery by means of currently available technology; c) the electronic signature creation data used for the creation of electronic signatures cannot be found by deduction and that the signature is securely protected against forgery by means of currently available technology;


d)


the electronic signature creation data used for the creation of electronic signatures can be reliably protected by the legitimate signatory against use by others.


2.


Qualified electronic signature creation devices shall not alter the data to be signed or prevent such data from being displayed to the signatory prior to signing.


3.


The generation or management of the electronic signature creation data on behalf of the signatory may only be performed by a qualified trust service provider.


4.


Without prejudice to point 1(d), qualified trust service providers managing the electronic signature creation data on behalf of the signatory may duplicate the signature creation data only for the purpose of backing up the electronic signature creation data provided that the following requirements are met:


a)


the security of the duplicate data sets is of the same level as for the original data sets;


b)


the number of duplicate data sets does not exceed the minimum necessary to ensure continuity of service.


ANNEX III


REQUIREMENTS OF THE QUALIFIED CERTIFICATES OF ELECTRONIC SEAL


The qualified certificates of electronic seal shall contain:


a)


an indication, at least in a format suitable for automatic processing, that the certificate has been issued as a qualified certificate for electronic seal;


b)


a set of data unambiguously representing the qualified trust service provider issuing the qualified certificates, including at least the Member State in which that provider is established, and



for legal persons: the name and, where applicable, the registration number as recorded in the official registers,



for natural persons, the name of the person;


c)


at least the name of the creator of the seal and, where applicable, the registration number, as recorded in the official registers;


d)


the validation data of the electronic seal corresponding to the data of creation of the electronic seal;


e)


the data relating to the beginning and end of the period of validity of the certificate;


f)


the identity code of the certificate, which must be unique for the qualified trust service provider;


g)


the advanced electronic signature or the advanced electronic seal of the issuing trust service provider;


h)


the place where the certificate supporting the advanced electronic signature or advanced electronic seal referred to in point (g) is freely available;


i)


the location of the services that can be used to consult the validity status of the qualified certificate;


j)


where the electronic seal creation data related to the electronic seal validation data are contained in a qualified electronic seal creation device, an appropriate indication of this, at least in a form suitable for automatic processing.


ANNEX IV


REQUIREMENTS FOR QUALIFIED CERTIFICATES FOR WEBSITE AUTHENTICATION


Qualified website authentication certificates shall contain:


a)


an indication, at least in a format suitable for automatic processing, that the certificate has been issued as a qualified website authentication certificate;


b)


a set of data unambiguously representing the qualified trust service provider issuing the qualified certificates, including at least the Member State in which that provider is established; and



for legal persons: the name and, where applicable, the registration number as recorded in the official registers,



for natural persons, the name of the person;


c) 


for natural persons: at least the name of the person to whom the certificate is issued, or a pseudonym; if a pseudonym is used, it shall be clearly indicated.


for legal persons: at least the name of the legal person to whom the certificate is issued and, where appropriate, the registration number, as recorded in the official registers.


d)


elements of the address, including at least the city and state, of the natural or legal person to whom the certificate is issued, and, where applicable, as recorded in official records.


e) 


the domain name or names operated by the natural or legal person to whom the certificate is issued.


f)


the data relating to the beginning and end of the period of validity of the certificate.


g) 


the identity code of the certificate, which must be unique for the qualified trust service provider.


h) 


the advanced electronic signature or advanced electronic seal of the issuing trust service provider.


i) 


the place where the certificate supporting the advanced electronic signature or advanced electronic seal referred to in the letter is freely available.


j) 


the location of the services that can be used to consult the validity status of the qualified certificate.

Leave a Reply

Your email address will not be published.